With an ACF2 GENCERT or a TSS GENCERT command, can multiple values be defined in the subject altname extension? For example, two (2) URIs that represent two VPNs.

Release : 16.0

Component : ACF2 for z/OS and Top Secret for z/OS

The ACF2 GENCERT and TSS GENCERT commands support the ALTNAME parameter. That parameter can specify  types IP, DOMAIN, EMAIL, and URI and their values for the subjectAltName extension. However, only one occurrence of each type, and one value within each type, is supported.  For example:

ALtname(DOMAIN=sysa.test.com IP=xxx.xxx.x.xxx [email protected] URI=http://test.com)

Certificates that need more than one value in type DOMAIN  can be created with an application such as the gskkyman utility, openSSL, Keytool or an External Certificate Authority. Those certificates can then be INSERTed or IMPORTed into  the ACF2 security database.

FEB 2023 Clarified /amplified explanation of ALTNAME parameter specification.